As per Unit 42 of Palo Alto Network’s threat analysis, a fraudulent phishing technique known as domain shadowing is wreaking havoc. The company found that around 12,197 fake domains were shadowed between 25th April to 27th June of 2022, to provide malicious content.
Cyber attackers are using domain shadowing for secretive attacks. Once a threat actor gets access to/hijacks your Domain Name System, they create their sub-domains containing malicious codes under your legitimate and reputed domains to perform malicious activities. The hijacked domains tend to be used in several ways, such as escaping security checks, distributing malicious software, committing fraud, etc.
It is imperative to note that the attackers prepare these shadow domains without altering the functioning of the original domains, which also serves as a safeguard, since the victims are not aware that a threat exists, and the owners of the original domains rarely check on their domains to ensure their security.
However, unit 42 employs a method to detect hacked domains or illegal sub-domains. It entails going through a checklist consisting of steps such as verifying whether the IP address of the domain and the sub-domain is the same or different, verifying whether the domain and sub-domains have been active for a certain period, and verifying the patterns of the domains and sub-domains.
Domain shadowing can be called a new evolution in online threats or fast flux. It has been considered the most effective and hard-to-detect technique used by any malicious attacker to date. The fraudulent actor can access and add tens of thousands of sub-domains into hijacked domains, and as they are available randomly, the next victim’s domain cannot be tracked.
According to Palo Alto Network’s threat researchers, when they became aware of the deceptive phishing technique and the increasing cases associated with it, only 200 of them were potentially harmful.
Read the full article here